I already don't like the idea of using cgi params or cookies

Cookies are pretty standard. Or you could use HTTP basic authentication.

But if you want to be secure, you'll have to use HTTPS anyway. And then you can client-side SSL certificates for authentication. But be warned, compared to cookies they are a pain to create, set up and maintain.